WHAT IS CLAIMED IS: 



1 1. A method for booting a computer system with first and second versions of a 

2 bootable program comprising the steps of: 

3 loading said first and second versions of said bootable program into first and 

4 second partitions of a storage device coupled to said computer system; 

5 hashing a boot record (BR) of said first and second versions of said bootable 

6 program producing respective first and second digests; 

7 signing said first and second digests using a cryptographic signature engine and 

8 a private installation key producing first and second signatures; 

9 storing said first and second signatures with additional data defining said first and 

1 0 second versions of said bootable program in first and second entries in said non-volatile 

1 1 memory coupled to said computer system; 

12 assigning said first partition as an active partition of said storage device by 

13 updating an active partition entry of a partition table of a master boot record (MBR)of 

14 said storage device, said active partition entry indicating which version of said BP is 

1 5 booted on a power up of said computer system; 

16 assigning said first entry corresponding to said first version of said bootable 

17 program as an active entry in said non-volatile memory; and 

1 8 assigning said second entry corresponding to said second version of said bootable 

19 program as an alternate entry in said non- volatile memory. 

1 2. The method of claim 1 further comprising the step of: 

2 locking said first and second entries in said non-volatile memory with a hardware 

3 locking mechanism of said computer system preventing modification of contents of said 

4 first and second entries. 
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1 3 . The method of claim 1 , wherein said bootable program is an operating system of 

2 said computer system. 

1 4. The method of claim 1 further comprising the steps of: 

2 loading a BR from said active partition entry of said MBR using 

3 Power-On-Self-Test (POST) code when said computer system is powered up; 

4 decrypting said first signature in said active entry using a public installation key; 

5 comparing a hash of said BR of said active partition to a hash of a BR retrieved 

6 from said active entry, returning a first compare result; 

7 booting with said first version of said bootable program in said active partition 

8 when said first compare result is true; and 

9 retrieving said second signature from said alternate entry when said first compare 
10 result is false. 

1 5. The method of claim 4 further comprising the steps of : 

2 decrypting said second signature in said alternate entry using said public 

3 installation key; 

4 comparing said hash of said BR of said active partition to a hash of a BR 

5 retrieved from said alternate entry, returning a second compare result; 

6 clearing said active entry from said non-volatile memory when said second 

7 compare result is true; 

8 moving contents said alternative entry to said active entry; and 

9 booting with said alternate version identified by said active entry. 

1 6. The method of claim 5 further comprising the step of: 

2 halting said POST when said second compare result is false. 
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1 7. The method of claim 1 further comprising the step of: 

2 monitoring a third entry of said non-volatile memory for an indication said third 

3 entry is valid. 

1 8. The method of claim 7 further comprising the step of: 

2 moving contents of said second entry to said first entry in response to said valid 

3 indication. 

1 9. The method of claim 8 further comprising the steps of: 

2 moving contents of said third entry to said second entry; 

3 marking said second partition corresponding to said second version of said 

4 bootable program as said active partition entry in said master boot record; and 

5 booting said version of said bootable program in said active partition. 

1 10. The method of claim 9 further comprising the step of: 

2 locking said first and second entries in said non-volatile memory with a hardware 

3 locking mechanism of said computer system preventing modification of contents of said 

4 first and second entries. 
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1 11. A computer system comprising: 

2 a central processing unit (CPU); 

3 a random access memory (RAM); 

4 an electronically erasable programmable read only memory (EEPROM); 

5 an I/O adapter; 

6 a disk storage system coupled to said I/O adapter; and 

7 a bus system coupling said CPU to said EEPROM, said VO adapter, and said 

8 RAM, wherein said CPU further comprises; 

9 circuitry for loading said first and second versions of said bootable program into 

10 first and second partitions of a storage device coupled to said computer system; 

1 1 circuitry for hashing a boot record (BR) of said first and second versions of said 

1 2 bootable program producing respective first and second digests; 

1 3 circuitry for signing said first and second digests using a cryptographic signature 

14 engine and a private installation key producing first and second signatures; 

1 5 circuitry for storing said first and second signatures with additional data defining 

1 6 said first and second versions of said bootable program in first and second entries in said 

1 7 non-volatile memory coupled to said computer system; 

18 circuitry for assigning said first partition as an active partition of said storage 

19 device by updating an active partition entry of a partition table of a master boot record 

20 (MBR)of said storage device, said active partition entry indicating which version of said 

21 BP is booted on a power up of said computer system; 

22 circuitry for assigning said first entry corresponding to said first version of said 

23 bootable program as an active entry in said non-volatile memory; and 

24 circuitry for assigning said second entry corresponding to said second version of 

25 said bootable program as an alternate entry in said non-volatile memory. 
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1 12. The computer system of claim 1 1 further comprising: 

2 locking said first and second entries in said non-volatile memory with a hardware 

3 locking mechanism of said computer system preventing modification of contents of said 

4 first and second entries. 

1 13. The computer system of claim 1 1 , wherein said bootable program is an operating 

2 system of said computer system. 

1 14. The computer system of claim 1 1 further comprising: 

2 circuitry for loading a BR from said active partition entry of said MBR using 

3 Power-On-Self-Test (POST) code when said computer system is powered up; 

4 circuitry for decrypting said first signature in said active entry using said public 

5 installation key; 

6 circuitry for comparing a hash of said BR of said active partition to a hash of a 

7 BR retrieved from said active entry, returning a first compare result; 

8 circuitry for booting with said first version of said bootable program in said active 

9 partition when said first compare result is true; and 

1 0 circuitry for retrieving said second signature from said alternate entry when said 

1 1 first compare result is false. 
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1 15. The computer system of claim 14 further comprising: 

2 circuitry for decrypting said second signature in said alternate entry using said 

3 public installation key; 

4 circuitry for comparing said hash of said BR of said active partition to a hash of 

5 a BR retrieved from said alternate entry, returning a second compare result; 

6 circuitry for clearing said active entry from said non- volatile memory when said 

7 second compare result is true; 

8 circuitry for moving contents said alternative entry to said active entry; and 

9 circuitry for booting with said altemate version identified by said active entry. 

1 16. The computer system of claim 15 further comprising: 

2 circuitry for halting said POST when said second compare result is false. 

1 17. The computer system of claim 1 1 further comprising: 

2 circuitry for monitoring a third entry of said non-volatile memory for an 

3 indication said third entry is valid. 

1 18. The computer system of claim 17 further comprising: 

2 circuitry for moving contents of said second entry to said first entry in response 

3 to said valid indication. 

1 19. The computer system of claim 1 8 further comprising: 

2 circuitry for moving contents of said third entry to said second entry; 

3 circuitry for marking said second partition corresponding to said second version 

4 of said bootable program as said active partition entry in said master boot record; and 

5 circuitry for booting said version of said bootable program in said active partition. 



RPS9 2001 0106 



23 



20. The computer system of claim 19 further comprising: 

circuitry for locking said first and second entries in said non-volatile memory 
with a hardware locking mechanism of said computer system preventing modification 
of contents of said first and second entries. 
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1 21. A computer program product for booting a computer system having first and 

2 second versions of a bootable program, said computer program product embodied in a 

3 machine readable medium, including programming for a processor, said computer 

4 program comprising a program of instructions for performing the program steps of: 

5 loading said first and second versions of said bootable program into first and 

6 second partitions of a storage device coupled to said computer system; 

7 hashing a boot record (BR) of said first and second versions of said bootable 

8 program producing respective first and second digests; 

9 signing said first and second digests using a cryptographic signature engine and 

1 0 a private installation key producing first and second signatures; 

1 1 storing said first and second signatures with additional data defining said first and 

1 2 second versions of said bootable program in first and second entries in said non- volatile 

1 3 memory coupled to said computer system; 

14 assigning said first partition as an active partition of said storage device by 

15 updating an active partition entry of a partition table of a master boot record (MBR)of 

16 said storage device, said active partition entry indicating which version of said BP is 

17 booted on a power up of said computer system; 

18 assigning said first entry corresponding to said first version of said bootable 

19 program as an active entry in said non-volatile memory; and 

20 assigning said second entry corresponding to said second version of said bootable 

21 program as an alternate entry in said non- volatile memory. 
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1 22. The computer program product of claim 21 further comprising the step of: 

2 locking said first and second entries in said non- volatile memory with a hardware 

3 locking mechanism of said computer system preventing modification of contents of said 

4 first and second entries. 

1 23 . The computer program product of claim 21 , wherein said bootable program is an 

2 operating system of said computer system. 

1 24. The computer program product of claim 2 1 further comprising the steps of: 

2 loading a BR from said active partition with Power-On-Self-Test (POST) code 

3 when said computer system is powered up; 

4 decrypting said first signature in said active entry using said public installation 

5 key; 

6 comparing a hash of said BR of said active partition to a hash of a BR retrieved 

7 from said active entry, returning a first compare result; 

8 booting with said first version of said bootable program in said active partition 

9 when said first compare result is true; and 

1 0 retrieving said second signature from said alternate entry when said first compare 

1 1 result is false. 

1 25 . The computer program product of claim 24 further comprising the steps of: 

2 decrypting said second signature in said alternate entry using said public 

3 installation key; 

4 comparing said hash of said BR of said active partition to a hash of a BR 

5 retrieved from said alternate entry, returning a second compare result; 

6 clearing said active entry from said non-volatile memory when said second 

7 compare result is true; 

8 moving contents said alternative entry to said active entry; and 
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9 booting with said alternate version identified by said active entry. 

10 26. The computer program product of claim 25 further comprising the step of: 

1 1 halting said POST when said second compare result is false. 

1 27. The computer program product of claim 21 further comprising the step of: 

2 monitoring a third entry of said non-volatile memory for an indication said third 

3 entry is valid. 

1 28. The computer program product of claim 27 further comprising the step of: 

2 moving contents of said second entry to said first entry in response to said valid 

3 indication. 

1 29. The computer program product of claim 28 further comprising the steps of: 

2 moving contents of said third entry to said second entry; 

3 marking said second partition corresponding to said second version of said 

4 bootable program as said active partition entry in said master boot record; and 

5 booting said version of said bootable program in said active partition. 

1 30. The computer program product of claim 29 further comprising the step of: 

2 locking said first and second entries in said non-volatile memory with a hardware 

3 locking mechanism of said computer system preventing modification of contents of said 

4 first and second entries. 
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5 31. A method for booting a computer system with first and second versions of a 

6 bootable program (BP) comprising the steps of: 

7 loading said first and second versions of said bootable program into first and 

8 second partitions of a storage device coupled to said computer system; 

9 identifying said first version as an active partition in a master boot record (MBR) 

10 by placing data defining said first version in an active partition entry, said active partition 

11 entry indicating which version of said BP is booted on a power up of said computer 

12 system; 

1 3 maintaining a version management table in a non-volatile memory wherein data 

14 placed in an active entry indicates which version of said BP corresponds to an active 

1 5 version and wherein data placed in an alternate entry indicates which version of said BP 

16 corresponds to an alternate version; 

1 7 comparing selected data in said active entry in said version management table to 

18 selected data pointed to by said active partition entry of said MBR returning a first 

19 compare result; and 

20 booting with said version in said active partition if said first compare result is 

21 true. 

1 32. The method of claim 3 1 , wherein said active and alternate entries in said version 

2 management table are locked with a hardware read only locking mechanism at selected 

3 times. 

1 33. The method of claim 3 1 , wherein said bootable program is an operating system 

2 of said computer system. 
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1 34. The method of claim 31 further comprising the steps of: 

2 replacing said data in said active entry with said data in said alternate entry if said 

3 first result is false; 

4 comparing selected data in said active entry in said version management table to 

5 selected data pointed to by said active partition entry of said MBR returning a second 

6 compare result; and 

7 booting with said alternate version in said active partition if said second compare 

8 result is true. 

1 35. The method of claim 34 further comprising the step of: 

2 stopping booting of said computer system if said second compare result is false. 

1 36. The method of claim 3 1 , wherein said active partition pointed to by said active 

2 partition entry in said MBR is changed in response to a version management program 

3 command sequence. 

1 37 . The method of claim 3 1 , wherein said compare step is performed by Power-On 

2 Self-Test (POST) code. 

1 38. The method of claim 34, wherein said compare step is performed by Power-On 

2 Self-Test (POST) code. 

1 39. The method of claim 31 further comprising the step of: 

2 determining when contents of a third entry of said non-volatile memory are valid. 
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1 40. The method of claim 39 further comprising the step of: 

2 moving contents of said alternate entry to said active entry when said contents of 

3 said third entry are valid. 

1 41 . The method of claim 40 further comprising the steps of: 

2 moving contents of said third entry to said alternate entry; 

3 marking a second partition corresponding to said second version of said bootable 

4 program as said active partition in said MBR; and 

5 booting said version of said bootable program in said active partition. 

1 42. The method of claim 41 further comprising the step of: 

2 locking said active and alternate entries in said non-volatile memory to prevent 

3 a modification of contents of said active and alternate entries. 
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1 43. A computer system comprising: 

2 a central processing unit (CPU); 

3 a random access memory (RAM); 

4 an electronically erasable programmable read only memory (EEPROM); 

5 an I/O adapter; 

6 a disk storage system coupled to said I/O adapter; and 

7 a bus system coupling said CPU to said EEPROM, said I/O adapter, and said 

8 RAM, wherein said CPU further comprises; 

9 circuitry for loading said first and second versions of said bootable program into 

10 first and second partitions of a storage device coupled to said computer system; 

1 1 circuitry for identifying said first version as an active partition in a master boot 

1 2 record (MBR) by placing data defining said first version in an active partition entry, said 

1 3 active partition entry indicating which version of said BP is booted on a power up of said 

14 computer system; 

15 circuitry for maintaining a version management table in a non- volatile memory 

1 6 wherein data placed in an active entry indicates which version of said BP corresponds to 

17 an active version and wherein data placed in an alternate entry indicates which version 

18 of said BP corresponds to an alternate version; 

19 circuitry for comparing selected data in said active entry in said version 

20 management table to selected data pointed to by said active partition entry of said MBR 

21 returning a first compare result; and 

22 circuitry for booting with said version in said active partition if said first compare 

23 result is true. 

1 44. The computer system of claim 43, wherein said active and alternate entries in said 

2 version management table are locked with a hardware read only locking mechanism at 

3 selected times. 
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1 45 . The computer system of claim 43 , wherein said bootable program is an operating 

2 system of said computer system. 

1 46. The computer system of claim 43 further comprising: 

2 circuitry for replacing said data in said active entry with said data in said alternate 

3 entry if said first result is false; 

4 circuitry for comparing selected data in said active entry in said version 

5 management table to selected data pointed to by said active partition entry of said MBR 

6 retuming a second compare result; and 

7 circuitry for booting with said alternate version in said active partition if said 

8 second compare result is true. 

1 47. The computer system of claim 46 further comprising: 

2 circuitry for stopping booting said computer system if said second compare result 

3 is false. 

1 48. The computer system of claim 43, wherein said active partition pointed to by said 

2 active partition entry in said MBR is changed in response to a version management 

3 program command sequence. 

1 49. The computer system of claim 43, wherein said compare step is performed by 

2 Power-On Self-Test (POST) circuitry. 

1 50. The computer system of claim 46, wherein said compare is performed by 

2 Power-On Self-Test (POST) circuitry. 
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1 51. The computer system of claim 43 further comprising: 

2 circuitry for determining when contents of a third entry of said non-volatile 

3 memory are valid. 

1 52. The computer system of claim 51 further comprising: 

2 circuitry for moving contents of said alternate entry to said active entry when said 

3 contents of said third entry are valid. 

1 53. The computer system of claim 52 further comprising: 

2 circuitry for moving contents of said third entry to said alternate entry; 

3 circuitry for marking a second partition corresponding to said second version of 

4 said bootable program as said active partition in said MBR; and 

5 circuitry for booting said version of said bootable program in said active partition. 

1 54. The computer system of claim 53 further comprising: 

2 circuitry for locking said active and alternate entries in said non-volatile memory 

3 to prevent modification of contents of said active and alternate entries. 
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